⚠️ Authorised Targets Only: DirBuster sends hundreds of HTTP requests per second to target web servers. Use it only against your own DVWA, Metasploitable, or systems you own. Running it against any web server without explicit written authorisation is illegal under computer fraud laws worldwide.
Dirbuster tutorial Kali Linux 2026 :— Every web server hides more than it shows. The pages linked from the homepage are a fraction of what actually exists. Admin panels, backup directories, configuration files, old API endpoints, uploaded shell files from previous compromises — all of these live at paths that the application never links to, but that DirBuster finds by systematically checking thousands of common paths until something responds. This is web directory brute-forcing, and it is one of the most reliable sources of critical findings in any web application assessment. Day 16 teaches you to do it properly.
🎯 What You’ll Master in Day 16
Configure and launch DirBuster GUI against a web server target
Select the right wordlist for the job — speed vs coverage tradeoffs
Interpret HTTP response codes in scan results — what 200, 403, and 301 actually mean
Discover admin panels, backup directories, and upload paths on Metasploitable
Understand when DirBuster, dirb, and Gobuster are each the right tool
⏱️ 45 min read · 3 hands-on exercises
📋 What You’ll Master — Dirbuster Tutorial Kali Linux 2026
What DirBuster Is and How Directory Brute-Forcing Works
DirBuster is a Java-based GUI tool developed by OWASP that discovers hidden directories and files on web servers by iterating through a wordlist of common path names. For each entry in the wordlist, DirBuster sends an HTTP GET request — GET /admin/ HTTP/1.1 — and records the response code. A 200 OK means the path exists and is accessible. A 403 Forbidden means the path exists but access is restricted. A 404 Not Found means it does not exist. After running through thousands of paths, DirBuster produces a map of everything that exists on the server — even paths the application never links to.
This matters because developers frequently leave sensitive content at predictable paths. Backup files at /backup.zip, configuration exports at /config.php.bak, admin interfaces at /admin/ or /management/, and old API versions at /api/v1/ after a migration to /api/v2/. None of these are linked from anywhere. All of them are found by DirBuster in the first scan.
🧠 EXERCISE 1 — THINK LIKE A HACKER (8 MIN · NO TOOLS)
Predict Hidden Directories Before Running DirBuster
⏱️ Time: 8 minutes · No tools required
You are about to assess a web application for a medium-sized
e-commerce company. Their public site has: a product catalogue,
a checkout system, a customer login portal, and a blog.
BEFORE running DirBuster, predict:
1. What admin interface paths are most likely to exist?
(Think about what technology stacks commonly use — WordPress,
PHP, custom frameworks all have common admin paths)
2. What backup or development paths might a developer leave
behind on a production server?
(Think: what do developers commonly name test files?)
3. What API paths would you expect behind an e-commerce site?
(Orders, products, users, payments, webhooks)
4. If the site runs PHP, what configuration file paths are
most commonly found accessible on misconfigured servers?
5. The checkout system “was rebuilt 6 months ago” according to
their job listings. What legacy paths might still exist?
Write 10 specific paths you would expect DirBuster to find —
BEFORE running it. Then compare your predictions to the results
after Exercise 2.
✅ Answer framework: Admin paths — /admin/, /administrator/, /wp-admin/, /backend/, /panel/, /management/. Backup/dev — /backup/, /old/, /test/, /dev/, /.git/, /backup.zip, /index.php.bak. API — /api/, /api/v1/, /api/v2/, /api/orders/, /api/products/. PHP config — /config.php, /wp-config.php, /configuration.php, /.env. Legacy checkout — /checkout-old/, /cart-v1/, /shop/. The habit of pre-thinking expected directories before running any automated tool is what separates professional testers from people who just run tools and read output. Your predictions create a mental model that helps you spot anomalous findings immediately.
📸 Write your 10 predicted paths and share in #day-16-dirbuster on Discord before running Exercise 2.
GUI Setup — Configuring DirBuster for Your First Scan
LAUNCH DIRBUSTER
# Launch from terminal
dirbuster
# Or from applications menu:
Applications → Web Application Analysis → dirbuster
📸 DirBuster configuration for a Metasploitable lab scan — target URL, 20 threads, medium wordlist, and php/txt/html/bak extensions. Recursive scanning ensures subdirectories within found directories are also enumerated.
Wordlists — Which One to Use and Why It Matters
The wordlist is the most important DirBuster configuration choice. A scan is only as good as the paths it checks — if your target uses a non-standard admin path like /management-portal/ and your wordlist does not contain it, DirBuster will never find it. The tradeoff is always speed vs coverage: a small wordlist finishes in minutes but misses uncommon paths; a large wordlist takes hours but finds nearly everything.
WORDLIST SELECTION GUIDE
# DirBuster built-in wordlists
directory-list-2.3-small.txt # 87K entries · fast · CTF/quick recon
✅ What you just learned: Metasploitable is intentionally loaded with vulnerable web applications — DirBuster will find /dvwa/, /phpMyAdmin/, /mutillidae/, /tikiwiki/, /phpinfo.php, and several others in a single small-wordlist scan. Each of these is a separate attack surface. /phpMyAdmin/ with default credentials gives direct database access. /phpinfo.php reveals the entire server configuration. /mutillidae/ is another intentionally vulnerable application. This is why directory brute-forcing is a mandatory step in every web assessment — the indexed results from the homepage are never the complete picture. Compare what you found against your Exercise 1 predictions.
📸 Screenshot your DirBuster results showing 200-response paths and share in #day-16-dirbuster on Discord.
Interpreting Results — What 200, 403, and 301 Tell You
Response codes are the language of DirBuster results. A 200 OK is the ideal finding — the path exists, is accessible, and returned content. A 403 Forbidden is equally important — it means the directory exists and the server refuses to serve it, which often indicates an admin directory or sensitive location. Many testers dismiss 403 responses; professionals investigate them for misconfigured permissions, parent-directory traversal, or alternate access paths.
✅ What you just learned: Gobuster is significantly faster than DirBuster because it is written in Go, which handles concurrent HTTP requests more efficiently than Java. For the same wordlist and thread count, Gobuster typically finishes in a fraction of the time. However DirBuster GUI gives you a visual results tree that is easier to analyse during a scan — you can see findings in real time without parsing text output. The professional workflow: use DirBuster or dirb for initial exploration and learning, switch to Gobuster for production assessments where speed matters. Both tools, same technique — pick the one that fits the situation.
📸 Screenshot Gobuster results with timing and share in #day-16-dirbuster on Discord. Tag #dirbuster2026
🧠 QUICK CHECK — Day 16
DirBuster returns a 403 Forbidden response for the path /admin/ on a target web server. What does this tell you and what is the appropriate next step?
📋 Commands Used Today — Day 16 Reference Card
dirbusterLaunch DirBuster GUI — Java-based, visual results tree, good for learning
dirb URL wordlistSimple CLI directory brute-force — fastest to launch for quick checks
gobuster dir -u URL -w wordlist -x php,html -t 20Fast Go-based scanner — preferred for production assessments
directory-list-2.3-small.txt87K entries — CTF and quick scans
directory-list-2.3-medium.txt220K entries — balanced default for most assessments
200 = accessible · 403 = exists/denied · 404 = not foundResponse code cheat sheet for results triage
🏆 Mark Day 16 as Complete
Directory brute-forcing is on the checklist of every web application assessment. DirBuster gives you the GUI foundation; Gobuster gives you the speed for production work. You now know both, understand wordlist selection, and can interpret every response code in the results.
❓ Frequently Asked Questions
What is DirBuster and what does it do?
DirBuster is an OWASP Java GUI tool that discovers hidden web directories and files by sending HTTP requests for paths from a wordlist. It records which paths return 200 OK, 403 Forbidden, or 301 redirects — mapping everything that exists on the server even if never linked from the application.
What is the difference between DirBuster, dirb, and Gobuster?
DirBuster = Java GUI, visual results, good for learning. Dirb = simple CLI, fast to launch for quick scans. Gobuster = Go-based, significantly faster than both due to concurrency, no GUI, supports DNS subdomain mode too. For learning: DirBuster. For production: Gobuster.
What wordlist should I use with DirBuster?
Default: directory-list-2.3-medium.txt (220K entries, balanced). Fast scan: directory-list-2.3-small.txt or SecLists common.txt. Known CMS: technology-specific SecLists wordlists under /Discovery/Web-Content/CMS/. Full assessment: directory-list-2.3-big.txt plus recursive scanning.
What HTTP response codes matter in DirBuster results?
200 = accessible, investigate immediately. 301/302 = redirect, follow it. 403 = exists but access denied, note for auth testing. 401 = auth required, test credentials. 404 = not found, ignore.
Is DirBuster legal to use?
Legal only on systems you own or have written authorisation to test. Scanning any web server without explicit permission is illegal under computer fraud laws. In bug bounty: check the programme scope — some prohibit automated scanning even on in-scope domains.
What comes after DirBuster in the course?
Day 17 covers WPScan — WordPress-specific vulnerability scanning. After generic directory discovery with DirBuster, WPScan applies targeted enumeration to WordPress installations, finding vulnerable plugins, themes, and user accounts.
← Previous
Day 15: Enum4linux Tutorial 2026
Next →
Day 17: WPScan Tutorial 2026
📚 Further Reading
Enum4linux Tutorial Kali Linux 2026— Day 15 covers SMB enumeration — the network-layer counterpart to DirBuster’s web-layer discovery. Together they cover both attack surfaces on any target running SMB and HTTP.
Kali Linux Tools Hub— The complete Kali Linux tools reference — DirBuster sits in the web application analysis category alongside Nikto, SQLmap, Burp Suite, and the full web testing toolkit.
180-Day Kali Linux Mastery Course— The complete course hub — Day 16 DirBuster is part of the web application assessment phase covering Days 12–24, building from HTTP interception through full web vulnerability discovery.
Gobuster GitHub Repository— The official Gobuster source and documentation — DNS mode, S3 bucket enumeration, fuzzing mode, and all flags for directory brute-forcing at professional assessment speed.
SecLists GitHub Repository— The standard wordlist collection — the Discovery/Web-Content/ directory contains 50+ targeted wordlists for different technologies and frameworks that outperform generic DirBuster defaults.
ME
Mr Elite
Owner, SecurityElites.com
The first time directory brute-forcing genuinely surprised me was on a client assessment where the main application was thoroughly hardened — no obvious injection points, strong authentication, recent security review. DirBuster on the medium wordlist found /old-portal/ returning a 200 response. Inside was the previous version of the web application, deployed three years earlier during a migration, completely forgotten by the development team, running an unpatched PHP version with multiple known CVEs. The new application had a clean security posture. The old one was completely compromised in under an hour. The client did not know it existed. DirBuster found it in eight minutes. That finding changed how I think about web assessment completeness — you are never finished until you have run a directory scan. The application’s front page is never the whole story.
Leave a Reply